Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
* indicates the dependency has a known exploited vulnerability
Dependencies (vulnerable)
asm-9.9.jar
Description:
ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm/9.9/asm-9.9.jar MD5: 6d1dd0482c03a6dc1807d9d004456021 SHA1: c29635c8a7afa03d74b33c1884df8abb2b3f3dcc SHA256:03d99a74ad1ee5c71334ef67437f4ef4fe3488caa7c96d8645abc73c8e2017d4 Referenced In Project/Scope: waffle-jetty:provided asm-9.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.9
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm
High
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
objectweb
Highest
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Highest
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm
High
Product
jar
package name
asm
Highest
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
High
Product
pom
artifactid
asm
Highest
Product
pom
developer email
ebruneton@free.fr
Low
Product
pom
developer email
eu@javatx.org
Low
Product
pom
developer email
forax@univ-mlv.fr
Low
Product
pom
developer id
ebruneton
Low
Product
pom
developer id
eu
Low
Product
pom
developer id
forax
Low
Product
pom
developer name
Eric Bruneton
Low
Product
pom
developer name
Eugene Kuleshov
Low
Product
pom
developer name
Remi Forax
Low
Product
pom
groupid
org.ow2.asm
Highest
Product
pom
name
asm
High
Product
pom
organization name
OW2
Low
Product
pom
organization url
http://www.ow2.org/
Low
Product
pom
parent-artifactid
ow2
Medium
Product
pom
parent-groupid
org.ow2
Medium
Product
pom
url
http://asm.ow2.io/
Medium
Version
file
version
9.9
High
Version
Manifest
Bundle-Version
9.9
High
Version
Manifest
Implementation-Version
9.9
High
Version
pom
parent-version
9.9
Low
Version
pom
version
9.9
Highest
Identifiers
pkg:maven/org.ow2.asm/asm@9.9 (Confidence:High)
asm-commons-9.9.jar
Description:
Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-commons/9.9/asm-commons-9.9.jar MD5: 8103b3de8f48fb4c7f97efdaa46ce809 SHA1: db9165a3bf908ded6b08612d583a15d1d0c7bda0 SHA256:db2f6f26150bbe7c126606b4a1151836bcc22a1e05a423b3585698bece995ff8 Referenced In Project/Scope: waffle-jetty:provided asm-commons-9.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
Tree API of ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-tree/9.9/asm-tree-9.9.jar MD5: 912eeaba1a63d574ffc66c651c7c6725 SHA1: f8de6eead6d24dd0f45bd065bbe112b2cda6ea21 SHA256:42178f3775c9c63f9e5e1446747d29b4eca4d91bd6e75e5c43cfa372a47d38c6 Referenced In Project/Scope: waffle-jetty:provided asm-tree-9.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.9
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm-tree
High
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
tree
Highest
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Vendor
Manifest
module-requires
org.objectweb.asm;transitive=true
Low
Vendor
pom
artifactid
asm-tree
Highest
Vendor
pom
artifactid
asm-tree
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm-tree
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm-tree
High
Product
jar
package name
asm
Highest
Product
jar
package name
objectweb
Highest
Product
jar
package name
tree
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm.tree
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Product
Manifest
Implementation-Title
Tree API of ASM, a very small and fast Java bytecode manipulation framework
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.2.3/caffeine-3.2.3.jar MD5: 0258f45d43968523cc11beeb01b240f2 SHA1: c097f0f6d21a0e6db88ea55836e26419b30dfe19 SHA256:ca70c90a5d1ce1511880ce9c93d4ad22108f61111d3daf91eb52762b571bd179 Referenced In Project/Scope: waffle-jetty:compile caffeine-3.2.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.6.0-SNAPSHOT
checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework.
License:
The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/org/checkerframework/checker-qual/3.52.0/checker-qual-3.52.0.jar MD5: d7eeaac6d7810375c2484fd4faeb2f69 SHA1: 9c17f496846ab1fca8975c6a50ceac0b3bbe63f0 SHA256:0b5bb1a4bdc4e4b1217482fe598efcaab4e1fba7b37f9412639178fc8116fc05 Referenced In Project/Scope: waffle-jetty:compile checker-qual-3.52.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.6.0-SNAPSHOT
Referenced In Project/Scope: waffle-jetty com.github.waffle:waffle-jna:3.6.0-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/org/eclipse/jdt/ecj/3.43.0/ecj-3.43.0.jar MD5: 571ac60d561935d9538ae77c99a7bdda SHA1: 3217710cfc3c6c20c2921623d1566e97ce5aeb6c SHA256:c786468c65e906498e7e36ece4e0d04c6d3dd34c9a61b34a3a5b512801911a82 Referenced In Project/Scope: waffle-jetty:provided ecj-3.43.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/com/google/errorprone/error_prone_annotations/2.44.0/error_prone_annotations-2.44.0.jar MD5: 11d0ff18fb88d4e4c48a4347e9e4a1e0 SHA1: bbbf88e1d12da9c6f7f204ca78a55446654ce7e1 SHA256:bcf738a525e546c926a233d0a169cf7eafcf703fe81ac9d6994f7244eda29052 Referenced In Project/Scope: waffle-jetty:provided error_prone_annotations-2.44.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/j2objc/j2objc-annotations/3.1/j2objc-annotations-3.1.jar MD5: abe8bd3abff622b9a8b15c3a737aa741 SHA1: a892ca9507839bbdb900d64310ac98256cab992f SHA256:84d3a150518485f8140ea99b8a985656749629f6433c92b80c75b36aba3b099b Referenced In Project/Scope: waffle-jetty:provided j2objc-annotations-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/3.0.0/jakarta.annotation-api-3.0.0.jar MD5: 7faffaab962918da4cf5ddfd76609dd2 SHA1: 54f928fadec906a99d558536756d171917b9d936 SHA256:b01f55552284cfb149411e64eabca75e942d26d2e1786b32914250e4330afaa2 Referenced In Project/Scope: waffle-jetty:provided jakarta.annotation-api-3.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
Jakarta Expression Language provides a specification document, API, reference implementation and TCK
that describes an expression language for Java applications.
File Path: /home/runner/.m2/repository/org/glassfish/jakarta.el/3.0.4/jakarta.el-3.0.4.jar MD5: a4ff0d711c405e054f8166c2ea893e0e SHA1: f48473482c0e3e714f87186d9305bcae30b7f5cb SHA256:3b8d4311b47fb47d168ad4338b6649a7cc21d5066b9765bd28ebca93148064be Referenced In Project/Scope: waffle-jetty:provided jakarta.el-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/el/jakarta.el-api/6.0.1/jakarta.el-api-6.0.1.jar MD5: a98f097e059552a75748fcdd067e5c16 SHA1: c7c4a2eb1e40e0ff45ab5e2e52bd77d8c7a75176 SHA256:7e84b5bed49de32b79cc5e85d90b6f5adb1a953ac67283adbb41c1e297f9c605 Referenced In Project/Scope: waffle-jetty:provided jakarta.el-api-6.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jakarta.servlet-api/4.0.2/jakarta.servlet-api-4.0.2.jar MD5: 75523dea16c815e4b111796ea1679b1b SHA1: 60da427ed588aa0cf70cb6cb7209c31e83069364 SHA256:0cd32c92320ae92c8692ef326dfeef756e97760251fca0c45472f299f1c3c916 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet-api-4.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp/2.3.6/jakarta.servlet.jsp-2.3.6.jar MD5: 16d8baeceb5503f066c61582085c75cb SHA1: 13192d5874b787c0ce0c70b35e95181e8b683a1c SHA256:990af769158db75833fe8b4d1e56ea778246bc3c6522d434369f1a0bcebf8582 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jakarta.servlet.jsp-api/4.0.0/jakarta.servlet.jsp-api-4.0.0.jar MD5: 6fddc938119e00e6f934c1b37120e338 SHA1: a8de3741b91ba7427306104979ab2f084e831438 SHA256:873b7d0c2b5734ef8847634299b67ce879080cdece8426147522c4db8e37c14e Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp-api-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp.jstl/1.2.6/jakarta.servlet.jsp.jstl-1.2.6.jar MD5: 7058e8ed0b161b729e6134784750d22b SHA1: f5a092de3b2b087c14ca4b8d6f2c77a1f6802828 SHA256:3b697c6cdf4d28de185e07d63f3682728b5a2b1dd229f5f9deb9b930d64b484a Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp.jstl-1.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/1.2.4/jakarta.servlet.jsp.jstl-api-1.2.4.jar MD5: 5b4683c3a614b37a5de721817e792024 SHA1: 9d23cda192df1192894277fd9d0710abb61329af SHA256:57122ab0151f82e716d825e65627e8064eb108dbeaafafa780687d61d5359454 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp.jstl-api-1.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-io/12.1.3/jetty-io-12.1.3.jar MD5: 32a95435dc101a448372f0b0a3b55974 SHA1: 2c46bf53f41e40df72ff457c40553da2ace7b956 SHA256:bb96db1fc7493403084d41b196b5a0cda94859d396d51511ac19dfb18048c3eb Referenced In Project/Scope: waffle-jetty:provided jetty-io-12.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/jetty-client@12.1.3
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-io
High
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
io
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
22
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.io
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-io
Highest
Vendor
pom
artifactid
jetty-io
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: IO
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-io
High
Product
jar
package name
eclipse
Highest
Product
jar
package name
io
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
22
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
EPL-2.0 OR Apache-2.0
https://www.eclipse.org/legal/epl-2.0/, https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-server/12.1.3/jetty-server-12.1.3.jar MD5: 783233a7c09f86458a900b3178a969f9 SHA1: 7741aafcd7d6dc718d04d4cfb883982e361d6577 SHA256:8ecd7b83eaa17f2f86b36c2f88df1a510c428acad691778112f6f7f24015e367 Referenced In Project/Scope: waffle-jetty:provided jetty-server-12.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-servlet@12.1.3
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-server
High
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
Manifest
build-jdk-spec
22
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://jetty.org/
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.server
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://jetty.org/
Low
Vendor
pom
artifactid
jetty-server
Highest
Vendor
pom
artifactid
jetty-server
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Core :: Server
High
Vendor
pom
parent-artifactid
jetty-core
Low
Product
file
name
jetty-server
High
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
Manifest
build-jdk-spec
22
Low
Product
Manifest
bundle-copyright
Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
File Path: /home/runner/.m2/repository/org/eclipse/jetty/toolchain/jetty-servlet-api/4.0.6/jetty-servlet-api-4.0.6.jar MD5: d63413e02885c25d0129e3d2936606f6 SHA1: 959c5d83d08f5cddf56caff749e48b735193191b SHA256:d90bf1f8a9d2ba89f4510bb51e1516dcf94ef6dc034e00f233654abdd78f2210 Referenced In Project/Scope: waffle-jetty:provided jetty-servlet-api-4.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-apache-jsp@12.1.3
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-servlet-api
High
Vendor
jar
package name
servlet
Highest
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.servlet-api
Medium
Vendor
pom
artifactid
jetty-servlet-api
Highest
Vendor
pom
artifactid
jetty-servlet-api
Low
Vendor
pom
groupid
org.eclipse.jetty.toolchain
Highest
Vendor
pom
name
Jetty :: Servlet API and Schemas for JPMS and OSGi
High
Vendor
pom
parent-artifactid
jetty-toolchain
Low
Product
file
name
jetty-servlet-api
High
Product
jar
package name
servlet
Highest
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Product
Manifest
Bundle-Name
Eclipse Jetty Servlet API and Schemas for JPMS and OSGi
Medium
Product
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Product
Manifest
bundle-symbolicname
org.eclipse.jetty.servlet-api
Medium
Product
pom
artifactid
jetty-servlet-api
Highest
Product
pom
groupid
org.eclipse.jetty.toolchain
Highest
Product
pom
name
Jetty :: Servlet API and Schemas for JPMS and OSGi
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.18.1/jna-5.18.1.jar MD5: cb531ec131e1c68c045b5d45fe5b9878 SHA1: b27ba04287cc4abe769642fe8318d39fc89bf937 SHA256:260c4b1e22b1db9e110ee441c4f13ce115f841fa48c41d78750986214b395557 Referenced In Project/Scope: waffle-jetty:compile jna-5.18.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.6.0-SNAPSHOT
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/5.18.1/jna-platform-5.18.1.jar MD5: a7af00779ec98bfe22dfb07b1532830d SHA1: dd817f391efc492041c9ae91127527c13750a789 SHA256:ad14c1b1ec4f43d396231219dfa635ebf828f738eac9f890ea1bc07795892d9a Referenced In Project/Scope: waffle-jetty:compile jna-platform-5.18.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.6.0-SNAPSHOT
An artifact of well-named and well-specified annotations to power static analysis checks
License:
The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/jspecify/jspecify/1.0.0/jspecify-1.0.0.jar MD5: 9133aba420d0ca3b001dbb6ae9992cf6 SHA1: 7425a601c1c7ec76645a78d22b8c6a627edee507 SHA256:1fad6e6be7557781e4d33729d49ae1cdc8fdda6fe477bb0cc68ce351eafdfbab Referenced In Project/Scope: waffle-jetty:compile jspecify-1.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.junit.jupiter/junit-jupiter-engine@6.0.1
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar MD5: dd83accb899363c32b07d7a1b2e4ce40 SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 Referenced In Project/Scope: waffle-jetty:provided jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.9.8
File Path: /home/runner/.m2/repository/org/mortbay/jasper/mortbay-apache-el/9.0.108.1/mortbay-apache-el-9.0.108.1.jar MD5: d461c8524ee40d8514c8482a23f7cc29 SHA1: 16b7ffddb0b4da6e94b4c80f07cb108e51a89ce9 SHA256:d18a118cf81a0d91c24ed5b68d0cac163d5660f750c5460775dce580b01aa80a Referenced In Project/Scope: waffle-jetty:provided mortbay-apache-el-9.0.108.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-apache-jsp@12.1.3
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), NVD-CWE-noinfo
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CWE-400 Uncontrolled Resource Consumption, CWE-755 Improper Handling of Exceptional Conditions, CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, NVD-CWE-Other
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CWE-209 Generation of Error Message Containing Sensitive Information, NVD-CWE-noinfo
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
CWE-149 Improper Neutralization of Quoting Syntax, NVD-CWE-Other
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: /home/runner/.m2/repository/org/mortbay/jasper/mortbay-apache-jsp/9.0.108.1/mortbay-apache-jsp-9.0.108.1.jar MD5: 199b8001493a279f720f0083786d1c44 SHA1: 1c7d0f00e7304db12f6a73114104f983d6ffc34a SHA256:adf0e1741b62e5417d9d41730f4cd21b2a78f5153870d952ad4ed8dfce7295d0 Referenced In Project/Scope: waffle-jetty:provided mortbay-apache-jsp-9.0.108.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-apache-jsp@12.1.3
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.17/slf4j-api-2.0.17.jar MD5: b6480d114a23683498ac3f746f959d2f SHA1: d9e58ac9c7779ba3bf8142aff6c830617a7fe60f SHA256:7b751d952061954d5abfed7181c1f645d336091b679891591d63329c622eb832 Referenced In Project/Scope: waffle-jetty:compile slf4j-api-2.0.17.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.6.0-SNAPSHOT
GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /home/runner/.m2/repository/com/github/spotbugs/spotbugs-annotations/4.9.8/spotbugs-annotations-4.9.8.jar MD5: d4c2e7bd090be697ad409a4e75684a94 SHA1: ca4a2783a6123e67124fd7feb4caccd2e2ac9a73 SHA256:6f69d6fe9c55a54dcb30e87d8fa2d5f52246af50d7a3445246d9539ef221be1c Referenced In Project/Scope: waffle-jetty:provided spotbugs-annotations-4.9.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.6.0-SNAPSHOT